Fake Reddit Website Phished Users with an Assist from Google

Once again, Google’s UI is aiding in phishing scams

A Reddit clone was squatting on a domain that closely resembles Reddit’s. Reddit.co, was a fake website that took advantage of a common typo. When visitors reached the site they were greeted by an extremely convincing front page that was, at the time, marked Secure.

Image courtesy of Gizmodo

Google has already blacklisted the site, and it appears to have been taken down. But in the time it was up, it was phishing Reddit users and stealing their login information.

What’s odd is that Reddit never attempted to grab this domain. It’s fairly common for large brands to grab similar domains that may have resulted from a typo and then redirect them to their main page. Reddit is 13th most popular website in the US. It appears Reddit had chances to nab this domain dating back to 2010, but never did.

The .co TLD belongs to Colombia, which probably should have never given the OK on this domain to begin with. But nonetheless, whoever was behind this Reddit clone did an impeccable job.

And I will credit Google for that, it wastes no time identifying malicious sites and blocking them.

But we’ve reached a crucial point where user education is lagging way behind the technology that is being pushed. It’s extremely easy to get a DV certificate. Some are free and many of the paid ones cost less than 10 dollars. That’s led to an explosion of HTTPS phishing.

It requires minimal effort for cybercriminals to slap a DV SSL certificate on their website and fool users into believing they’re safe. Because, let’s be honest, the average internet user has no idea what connection security is, much less what to look for. Too many people believe Secure = Safe.

And this is where Google needs to make a change. Unfortunately, the argument made by Google is that the new UI is working – that DV is doing its job just by authenticating the server.

If that’s the position you want to take then do something to educate your users. Who is in a better position than Google to influence the way people use the internet? I don’t have statistics but I’d be willing to wager that most Chrome users still have Google.com as their homepage. The very first thing they’ll see when opening their browser or opening up a new tab is the front page of Google’s website.

There’s a lot of negative space on that page, too. Why not spend some it to try and educate users? Tomorrow you’re going to put an interactive doodle with a turtle curling (the Olympic Sport). But you can’t even teach your users what your security indicators mean? Hell, why not just make a Doodle that incorporates it? People actually write articles about “what the Google Doodle was today.” That link takes you to Time magazine. CNet and a slew of other outlets report on the Doodle too. At this point it’s practically its own genre of journalism. So why not use the Doodle to teach users something they should definitely know.

But forget about that for a minute, the crux of the issue is this: DV doesn’t deserve the secure indicator.

If DV SSL is supposed to become the standard, as many around the industry are fighting for, then it shouldn’t get special UI. Whether Google is aware of it or not, its UI – which marks any HTTPS site Secure, even before its Safe Browsing filters can blacklist it – is misleading its users. Look at that Reddit spoof again, it looks legitimate. And Google says it’s Secure. Why wouldn’t you trust it?

And this Reddit clone business is exactly why. Marking any website with HTTPS is patently irresponsible. Yes, maybe the site in question would have still caught some people without the DV indicator. But when Google tells you something is secure, we tend to believe them.

Be the first to comment

Author

Hashed Out's Editor-in-Chief started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. He also designs the visuals for Hashed Out and serves as the Content Manager for The SSL Store™.